Tuesday, 21 June 2016

Setup a transparent proxy with Squid and CentOS 7

Forenote: For this tutorial I will be using the 'core' edition of CentOS 7.

We should firstly ensure our system is up to date:

yum update

and proceed by disabling firewalld

systemctl stop firewalld
systemctl mask firewalld

and also disabling selinux:

vi /etc/selinux/config

and add / modify the line:

SELINUX=disabled

and setting permisive mode (so we don't need to do a reboot):

setenforce 0

and then download and compile squid from source:

yum install perl perl-Crypt-OpenSSL-X509 && yum groupinstall "Development Tools"

cd /tmp
curl -O http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.19.tar.gz
tar zxvf squid-3.5.19.tar.gz

cd squid-3.5.19

./configure --prefix=/usr/local/squid --enable-delay-pools
make all
make install

create our squid user:

useradd squid -s /sbin/nologin
chown -R squid:squid /usr/local/squid/var/logs
chown -R squid:squid /usr/local/squid/var/cache

and then lets create our squid config:

vi /etc/squid/squid.conf

and add:

cache_dir ufs /usr/local/squid/var/cache/squid 15000 16 256

cache_effective_user squid
cache_effective_group squid

# tweaks
dns_v4_first on

visible_hostname myproxy.local
http_port <your-interface-address>:3128 transparent

## Define our network ##
acl our_network src <your-subnet/24>

## make sure that our network is allowed ##
http_access allow our_network

## finally deny everything else ##
http_access deny all

and initialize the cache:

/usr/local/squid/sbin/squid -f /etc/squid/squid.conf -z

/usr/local/squid/sbin/squid -z

Now lets setup the firewall configuration...

Firstly ensure ip forwarding is enabled:

vi /etc/sysctl.conf

and add:

net.ipv4.ip_forward = 1

and ensure it persists reboot:

/sbin/sysctl -p /etc/sysctl.conf

and then install / enable iptables:

yum install iptables-services
systemctl enable iptables
systemctl start iptables

and create our iptables ruleset:

iptables -t filter -I INPUT 1 -i <source-interface> -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -I INPUT 1 -i <source-interface> -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -o <source-interface> -j MASQUERADE
iptables -t nat -A PREROUTING -i <source-interface> -p tcp --dport 80 -j REDIRECT --to-port 3128

0 comments:

Post a Comment